The gang's members have moved into different criminal activities, and could regroup once law-enforcement attention has simmered down a bit, researchers say.

Two months after the infamous Conti ransomware gang ceased operations, several of its members remain as active as ever either as part of other ransomware groups or as independent contractors focused on data theft, initial network access, and other criminal endeavors.

Separately, they remain as dangerous to organizations as they used to be as members of a single gang, according to Intel 471. Its researchers have been tracking Conti actors as they have moved in different directions since the group dissolved in May. 

The cessation of operations appears to be a bid by the group's operators to distance themselves from the brand more than anything else. In a new report, the threat intelligence firm speculates that once law-enforcement attention around the Conti group wanes, it's likely that its now-scattered members will regroup and form another criminal organization similar in structure to the original.

"In order to defend their enterprises, security practitioners need to understand how cybercriminals organize their operations," says Brad Crompton, director of intelligence for Intel 471's shared services group. "Even though Conti is defunct, former operators are still using similar \[tactics, techniques, and procedures\], which means security teams can still use their prior strategies in stopping similar attacks rather than ignoring them altogether in light of Conti's demise."

**Most-Destructive Ransomware Group**

The Conti group is widely regarded within the security industry as one of the most destructive ransomware operations of all time. The predominantly Russia-based group first surfaced in 2020, and has used a variety of tactics to break into victim networks — including via spear-phishing campaigns, stolen Remote Desktop Protocol credentials, software vulnerabilities, and poisoned software.

The FBI estimated that by January, the gang had collected some $150 million in ransom payouts from more than 1,000 victims worldwide—including more than 400 in the US. The scale of its destruction prompted the US State Department in May to announce a $10 million reward for information leading to the identification and/or location of key individuals of the gang. The State Department offered another $5 million for information leading to the arrest and conviction of individuals participating in attacks involving Conti ransomware incidents.

**Leaking a Window into Conti's Operations**

In May, a Ukrainian member of the gang publicly released a big trove of Conti's internal conversations after the Conti team officially announced its support for the Russian government's invasion of Ukraine. Information from that leak, and another previous leak in September 2021 showed the Conti ransomware operation was structured along the lines of a formal business complete with a physical office, scheduled working hours, managers at various tiers and separate departments for HR, coding, training, testing, intelligence gathering, and other functions. 

The FBI, the National Security Agency (NSA), and the US Cybersecurity and Infrastructure Security Agency (CISA) earlier assessed that Conti's developers used a ransomware-as-a-service model to distribute their malware. But instead of taking a cut of the ransom from affiliates — as is usually the case with ransomware-as-a-service — Conti's developers paid attackers a flat fee for deploying their malware on victims' networks.

Significantly, the leaks also appeared to confirm widely held suspicions about a link between Conti's developers and Russia's Federal Security Service (FSB).

**Rebrand & Regroup?**

In mid-May, Conti's developers seemingly abruptly began shutting down infrastructure — such as admin panels, servers, proxy hosts, chatrooms, and a negotiations service site — likely in response to the high level of attention it had managed to attract from law enforcement and media. A few weeks later, it also shut down a site it had used to name-and-shame victims that refused to pay a ransom. 

One analysis by AdvIntel at the time concluded that the group's main actors had already put in place plans to continue the operation under various guises a few months before its official shutdown.

The Black Basta ransomware gang, which started operations in April, or one month before Conti's official exit from the ransomware scene appears to be one such operation. Intel 471 said its analysis of the group's activities show that Black Basta's infrastructure — such as its payment and data leak sites, its payment site, recovery portals, and communication and negotiation methods — have overlaps with Conti's operations.

Intel 471 also  has identified two other ransomware operations — BlackByte and Karakurt — that have similar, significant overlaps with Conti and in fact may simply be rebranded Conti operations. In addition, some Conti affiliates and managers have forged alliances with other ransomware teams, including Ryuk, Maze, LockBit 2.0, BlackCat, Hive, and HelloKitty. According to Intel 471, it is possible also that other actors could use leaked Conti source code to developer their own ransomware and decryption tools.

Post-Breakup, Conti Ransomware Members Remain Dangerous

With security experts warning against attacks on machine learning models and data, startup HiddenLayer aims to protect the neural networks powering AI-augmented products.

As companies increasingly add artificial intelligence (AI) capabilities to their product portfolios, cybersecurity experts warn that the machine learning (ML) components are vulnerable to new types of attacks and need to be protected.

Startup HiddenLayer, which launched on July 19, aims to help companies better protect their sensitive machine-learning models and the data used to train those models. The company has released its first products aimed at the ML detection and response segment, aiming to harden models against attack as well as protect the data used to train those models.

The risks are not theoretical: The company's founders worked at Cylance when researchers found ways to bypass the company's AI engine for detecting malware, says Christopher Sestito, CEO of HiddenLayer.

"They attacked the model through the product itself and interacted with the model enough to ... determine where the model was weakest," he says.

Sestito expects attacks against AI/ML systems to grow as more companies incorporate the features into their products.

"AI and ML are the fastest growing technologies we have ever seen, so we expect them to be the fastest growing attack vectors that we have ever seen as well," he says.

**Flaws in the Machine Learning Model**

ML has become a must-have for many companies' next generation of products, but businesses typically add AI-based features without considering the security implications. Among the threats are model evasion, such as the research conducted against Cylance, and functional extraction, where attackers can query a model and construct a functional equivalent system based on the outputs.

Two years ago, Microsoft, MITRE, and other companies created the Adversarial Machine Learning Threat Matrix to catalog the potential threats against AI-based systems. Now rebranded as the Adversarial Threat Landscape for Artificial Intelligence Systems (ATLAS), the dictionary of possible attacks highlights that innovative technologies will attract innovative attacks.

"Unlike traditional cybersecurity vulnerabilities that are tied to specific software and hardware systems, adversarial ML vulnerabilities are enabled by inherent limitations underlying ML algorithms," according to the ATLAS project page on GitHub. "Data can be weaponized in new ways which requires an extension of how we model cyber adversary behavior, to reflect emerging threat vectors and the rapidly evolving adversarial machine learning attack lifecycle."

The practical threat is well known to the three founders of HiddenLayer — Sestito, Tanner Burns, and James Ballard — who worked together at Cylance. Back then, researchers at Skylight Cyber appended known good code — actually, a list of strings from the game Rocket League's executable — to fool Cylance's technology into believing that 84% of malware was actually benign.

"We led the relief effort after our machine learning model was attacked directly through our product and realized this would be an enormous problem for any organization deploying ML models in their products," Sestito said in a statement announcing HiddenLayer's launch.

**Looking for Adversaries in Real Time**

HiddenLayer aims to create a system that can monitor the operation of ML systems and, without needing access to the data or calculations, determine whether the software is being attacked using one of the known adversarial methods.

"We are looking at the behavioral interactions with the models — it could be an IP address or endpoint," Sestito says. "We are analyzing whether the model is being used as it is intended to be used or if the inputs and outputs are being leveraged or is the requester making very high entropy decisions."

The ability to do behavioral analysis in real time sets the company's ML detection and response apart from other approaches, he says. In addition, the technology does not require access to the specific model or the training data, further insulating intellectual property, HiddenLayer says.

The approach also means that the overhead from the security agent is small, on the order of 1 or 2 milliseconds, says Sestito.

"We are looking at the inputs after the raw data has been vectorized, so there is very little performance hit," he says.

Startup Aims to Secure AI, Machine Learning Development

Researchers go public after vendor disputes impersonation threat

Researchers go public after vendor disputes impersonation threat

Security researchers claim to have uncovered serious security shortcomings in the systems of identity provider Okta.

Identity and access management specialist Authomize went public with four supposed vulnerabilities following an inconclusive disclosure process.

The vulnerabilities “grant threat actors with app admin privileges the ability to extract clear text passwords, impersonate any downstream user, and impersonate anyone in the hub or another spoke,” according to Authomize.

However, Okta remains unconvinced about the seriousness of these supposed flaws, telling The Daily Swig it has no plans to issue security updates in response to Authomize’s research. Users with any lingering concerns have the option to rachet up their default security settings, Okta advised.

Catch up on the latest authentication news

Gal Diskin, CTO and co-founder of Authomize, said it was “working closely with Okta on improving the security of their customers.

“While we might disagree with their decision not to assign CVEs for our findings, the crucial point for us is that they are taking them seriously and that we are collaborating with them based on mutual professional respect,” he told The Daily Swig.

Diskin went on to claim that exploiting the flaws would not be difficult for even a modestly skilled attacker.

“If you have the right privileges/configuration \[then you\], and anyone with even limited technical skills, can carry out this exploitation,” he said.

Distin continued: “Attackers may use these flaws to: steal passwords for all employees, escalate privileges to super-admin, build persistent hidden backdoors, compromise all downstream apps to perform doxing, impersonation, theft, or for ransom purposes.

“Attackers can use super-admin privileges to perform destructive attacks against downstream apps connected to any IdP \[identity provider\],” he added.

**Underground chatter**

Asked directly, Authomize admitted it had no evidence of real world exploitation of the flaws it discusses. The security consultancy nonetheless argues that exploitation might have occurred “under the radar”.

“There have been certain unexplained password and username leaks that may end up being traced back to these issues,” Distin told The Daily Swig. “We’ve also heard from partners in threat intelligence firms that they see identity systems being widely discussed as targets in cybercriminal forums.”

**Potential for wider threat**

Authomize reckons the security shortcomings it unearthed are particular to Okta – rather than being a generic issue that also affects other identity providers.

Distin told The Daily Swig: “From our research, it does not appear that other IdPs are similarly at risk.”

“That being said, there are certain attacks inherent to any IdPs such as impersonation via upstream IdPs, username manipulations in downstream apps, and various other misconfigurations that our research suggests requires persistent monitoring,” they concluded.

Okta, however, told The Daily Swig that the issues uncovered by Authomize are not particular to itself and can be addressed by following industry best practice.

“Authomize reached out to Okta with the technical details of their blog post,” Okta told The Daily Swig. “After thorough review, our determination is that the listed items are not unique to Okta and that applying security best-practices will mitigate any risks found with the items in the blog.

“Okta customers who want to increase the security of their organization can utilize our online product documentation to apply the most secure settings,” it added.

YOU MIGHT ALSO LIKE Fantasy Premier League football app introduces 2FA to tackle account takeover hacks

‘Password extraction risk’ in identity provider Okta disputed

The 2nd International Workshop on Cyber Forensics and Threat Investigations Challenges will take place October 10th through the 11th, 2022.

**2nd International Workshop On Cyber Forensics And Threat Investigations Challenges Call For Papers**

    2nd International Workshop on Cyber Forensics and ThreatInvestigations ChallengesOctober 10-11, 2022, Taking Place Virtually from the UKhttps://easychair.org/cfp/CFTIC2022Cyber forensics and threat investigations has rapidly emerged as a newfield of research to provide the key elements for maintainingsecurity, reliability, and trustworthiness of the next generation ofemerging technologies such as the internet of things, cyber-physicalsystems, cloud/edge/fog computing, software-defined network, andnetwork function virtualization. Complicated efforts are required insuitable and timely manners against any threats detected within thesesystems. Moreover, new frameworks are required to collect and preservepotential evidential data in suitable and timely manners as well. Toguarantee proper cyber-defenses and strategies against the expandinglandscape of criminal activities as well as rapidly advancing emergingtechnologies.The main motivation for this Workshop is to bring together researchersand practitioners working on cyber forensics and threat investigationsfor emerging infrastructures to disseminate current research issuesand advances. Original technical papers describing new,state-of-the-art research, will be considered. The Workshop welcomessubmissions that evaluate existing research results by reproducingexperiments. The aim of this workshop is to provide insight for thediscussion of the major research challenges and achievements onvarious topics of interest.Important DatesTechnical Paper Submission Deadline: 15 September 2022Poster and Demo Track Submission Deadline: 20 September 2022Authors Notifications: 30 September 2022Camera Ready due: 05 October 2022The registration is free-off-charge for All members of the Association(Thanks to our financial supporters who made this possible)Scope of The WorkshopTechnical Paper TrackPapers on practical as well as theoretical topics and problems invarious topics related to cyber forensics and threat investigationsare invited, with special emphasis on novel techniques and tools tocollect data from networked systems and services in emergingtechnologies (such as the ones can be found in cyber-physical systemsand Internet of things, cloud/edge/fog computing, software-definednetwork, and network function virtualization). Topics include (but arenot limited to):·        Forensics and threat investigations in IoT·        Forensics and threat investigations in peer-to-peer, andsocial networks·        Forensics and threat investigations in SDN/NFV·        Forensics and threat investigations in Cloud Computing·        Forensics and threat investigations in Smart TechnologiesSystems (Smart Cars, Smart Homes, Smart Cities)·        Dark Web Investigations, Forensics, and Monitoring·        Forensics and threat investigations in Virtual private networks·        Security and Privacy in Clouds, Fog Computing, and 5G, and 6G·        Security and Privacy in IoT, SDN/NFV, and Edge Computing·        Security and Privacy in Smart Technologies Systems (SmartCars, Smart Homes, Smart Cities)·        Forensics and visualization of Big Data·        Trusted Computing in Smart Technologies Systems (Smart Cars,Smart Homes, Smart Cities)·        Tools and services for cyber forensics and threat investigations·        OSINT (Open Source Intelligence)·        Cooperative and distributed forensics and threat investigations·        Advanced threat investigations, forensic and anti-forensic techniques·        Attack detection, traceback and attribution in Emerging Technologies·        Malware Analysis and Attribution·        Digital Evidence Extraction/Analysis using Artificialintelligence, Machine Learning and Data Mining·        Data exfiltration techniques from networked devices andservices (e.g. cyber-physical systems, and Internet-of-Things)·        Methods for reconstruction of Digital Evidence in Emerging Technologies·        Forensics and threat investigations in E-health/M-health·        Vulnerability & threat detection and mitigation techniquesfor networked services·        Novel large-scale investigations and Machine Learningtechniques to analyze intelligence data sets and logsWe also encourage contributions describing innovative work in therealm of cybersecurity, cyber defense, and digital crimes.Poster and Demo TrackCFTIC 2022 solicits the submission of posters and demos on specificaspects of cyber forensics and threat investigations, particularlyrelated to the subject areas indicated by the CFTIC 2022 topics ofinterest. Posters provide a forum for authors to present their work inan informal and interactive setting. They allow authors and interestedparticipants to engage in discussions about their work. In particular,a poster submission should motivate its relevance to the communitiesof cyber forensics and threat investigations, and summarize the mainchallenges, experiences, and novel ideas. A demonstration shouldpresent an existing tool or research prototype. Authors are expectedto provide a demonstration during the poster and demonstrationsession. A demonstration submission should clearly describe themotivation, the novelty of the contribution, and the applicability ofthe tool or prototype to specific use cases. Posters or demonstrationscan be submitted for evaluation in the form of an extended abstract.Submissions are limited to 1 page including references. Allsubmissions must present only original and unpublished work that isnot currently under review at any other venue. Demonstrations mustinclude in the abstract of the paper a link to a video of up to 5minutes hosted in a permanent location. The video must show theexisting tool or research prototype in action. Moreover,demonstrations are encouraged to include a link to a website where thesource code of the produced software is available when it is possible.SubmissionPaper submissions must present original research or experiences.Late-breaking advances and work-in-progress reports from ongoingresearch are also encouraged. Only original papers that have not beenpublished or submitted for publication elsewhere can be submitted.Also, extended versions of conference or workshop papers that arealready published may be considered as long as the additionalcontribution is at least 30% new content from the original. Eachsubmission must be written in English, accompanied by a 75 to 200-wordabstract, and a list of up to 5 keywords. There is a length limitationof 4 pages (at least 10pt font, one-column format) for extendedabstracts including (title, abstract, figures, tables, andreferences). Submissions must be in ECEASST-CFTIC 2022 template.Authors should submit their papers electronically via the EasyChaironline submission system. (https://easychair.org/conferences/?conf=cftic2022 )·        ECEASST-CFTIC-Latex-Template :https://conceptechint.net/ECEASST-cls-XXX-CFTIC-2022.zip·        ECEASST-CFTIC-Word-Template :https://conceptechint.net/ECEASST-%20CFTIC-2022.docThe submission processes will be managed by easychair If you have usedthis system before, you can use the same username and password. Ifthis is your first time using EasyChair, you will need to register foran account by clicking the “I have no EasyChair account” button. Uponcompletion of registration, you will get a notification email from thesystem and you are ready for submitting your paper. You can upload andre-upload the paper to the system.PublicationCFTIC 2022 proceedings are to be published open access via theElectronic Communications of the EASST Journal (ECEASST) indexed inScopus, DBLP, and listed in the Directory of Open Access Journals(DOAJ). Selected papers presented at the workshop, after furtherrevision, will have the opportunity to be published in special issuesin indexed and/or high-impact factor journals (details on thewebsite).Main Contact: If you have any further questions please contact theworkshop organizers via https://www.acfti.org/contactThis Workshop is Technically Supported byAssociation of Cyber Forensics and Threat Investigators (www.acfti.org)Industrial Cybersecurity Center (www.cci-es.org)Send by Andrew Zayin on Behalf of CFTIC2022 PC Chairs.Andrew Zayin Ph.D, CISSP, CISM, CRISC, CDPSE, PMP________________________________________________________Association of Cyber Forensics and Threat Investigatorshttps://www.acfti.orgTwitter: @acfti

2nd International Workshop On Cyber Forensics And Threat Investigations Challenges Call For Papers

New CAPE platform delivers patented intelligent automation and enforcement of consumer data privacy mandates at lowest total cost of ownership.

SAN JOSE, CA – (July 19, 2022) – GhangorCloud, a leading provider of intelligent information security and data privacy compliance enforcement solutions, today announced its patented Compliance and Privacy Enforcement (CAPE) product offering. The CAPE platform automates tasks associated with data discovery, data classification, data mapping and consumer privacy compliance enforcement in real time across all regulatory compliance mandates including GDPR, CCPA, HIPPA, PCI, PDPB, PDPL and other data privacy laws across the globe.

One of the biggest challenges that global organizations face is the pervasive risk of serious fines as mandated by consumer data privacy regulations. The EU General Data Protection Regulation (GDPR) is among the toughest data protection laws. Under the GDPR, the EU's data protection authorities can impose fines of up to €20 million (roughly $20,372,000), or 4% of worldwide turnover for the preceding financial year – whichever is higher. Companies that fail to comply with data privacy mandates risk not only financial exposure, but also operational and reputational losses.

GhangorCloud’s CAPE solution delivers a highly scalable architecture and can be quickly deployed across an enterprise as well as multi-cloud environments. Its’ AI powered eDiscovery Engine identifies and classifies content automatically, generates privacy enforcement policies without requiring tedious manual intervention, and provides real-time enforcement of privacy mandates to minimize risk and exposure while significantly reducing total cost of ownership.

“Data compliance and privacy enforcement is a daunting task that involves multiple, complex processes and requires the ability to sieve through large volumes of data corpuses at a very high rate both on-premises and across multi-cloud environments,” said Tarique Mustafa, CEO/CTO, GhangorCloud. “Leveraging our patented Intelligent Automation Engine, the CAPE platform addresses these issues with a modern-day data compliance and privacy system for expeditious and error-free performance of complex tasks, while significantly minimizing the cost of enforcement of regulatory compliance and privacy mandates.”

Compliance and Privacy Enforcement (CAPETM) Solution Features Include:  
AI Powered Data eDiscovery:  
GhangorCloud’s AI powered Data Discovery Engine was architected from the ground up to address the deficiencies and constraints of previous generation data discovery solutions.  
• Complex Data Object Definition: CAPE embodies unique AI based patented technologies that greatly facilitate the definition and discovery process for complex data/information objects that can represent any type of concrete and abstract data or information objects of interest. Virtually any kind of data/information such as structured, unstructured, semi-structured, ordered/unordered sets of data and data sequences can all be modelled and automatically identified and classified.  
• Auto Identification: Incorporates sophisticated patented technology for auto-identification of high granularity canonical as well as complex data objects that involve components with cross modality, cross type, composite structured and unstructured, embedded, or independent canonical data types.  
• Auto Classification: CAPE incorporates a unique Auto-Classification Engine that works with sophisticated data object ontologies to auto-classify sensitive information. The Auto-Classification engine examines every data/information object in the corpuses and using GhangorCloud’s patented algorithms automatically classifies it into one of the classification types defined in the data object ontology. It can classify sensitive information as granular as specific words and phrases. The Auto-Classification Engine completely replaces the requirement for manual tagging or fingerprinting of sensitive information. It can readily work out-of- the-box and does not require any pre-processing of data or a laborious training / learning process.

Data Mapping  
CAPE incorporates a sophisticated Data Mapping Engine that automatically creates a persistent Universal Data Map (UDM) for the data/information objects that exist in the enterprise corpuses. This is a crucial capability that greatly facilitates efficient navigation through large storage systems and corpuses following the lineage of any given data/information object of interest. The UDM created by the Data Mapping Engine is used effectively by the CAPE’s Privacy Enforcement Workflow Engine to automatically generate the Data Subject Request (DSR) and Data Subject Access Request (DSAR) service workflow.

Privacy Request Enforcement  
The Privacy Request Enforcement Engine utilizes its Universal Data Map (UDM) and Actor Repository Map (ARM) to correlate Actors (i.e., custodians of data repositories), specific set of repositories over which a given Actor has jurisdiction/authorization and the corresponding operations that they are authorized to perform on the specific data repositories. Using patented AI Algorithms, the engine can automatically discretize the incoming DSAR or DSR jobs into corresponding sets of ‘primitive’ (or atomic) tasks. The ‘primitive’ tasks are then automatically ‘serialized’ into a task sequence using the logical and precedence dependencies between these tasks. The Workflow Engine is equipped with a built-in mechanism to monitor and report the status of the DSAR or DSR fulfillment process, and raise alerts, alarms, or other notifications as appropriate during the fulfillment process.

GhangorCloud’s Compliance and Privacy Enforcement solution is available now. For more information and pricing details, email \[email protected\].

About GhangorCloud  
Headquartered in Silicon Valley, GhangorCloud is a leading provider of intelligent information security and data privacy compliance enforcement solutions. GhangorCloud's Information Security and Consumer Compliance solutions protect data based on its contextual and conceptual significance, using a powerful policy engine and security algorithms to identify, classify, and protect large volumes of information in real-time with unprecedented accuracy. The company is founded by Silicon Valley security veteran Tarique Mustafa and Bhanu Panda, and is backed by a team, board and advisors that include leading authorities from companies like Symantec, McAfee, Trend Micro, Cisco, Juniper, Alteon and Array Networks. For more information, see http://www.ghangorcloud.com/.

GhangorCloud Announces CAPE, a Next Generation Unified Compliance and Data Privacy Enforcement Solution

Builds personalization, posture scoring and enhanced market intelligence into interactive map of the application security ecosystem.

TEL AVIV, Israel, July 19, 2022 (GLOBE NEWSWIRE) -- Enso Security, developers of the first Application Security Posture Management (ASPM) solution, today launched the next iteration of the AppSec Map, its interactive map of the AppSec ecosystem. Embraced by the community for its ability to intuitively segment and visualize the AppSec tech stack, the Map now enables users to create custom maps and generate security posture ratings. By providing a community-driven framework to assess and improve their application security posture, Enso Security is empowering AppSec practitioners to think strategically about their programs and bolster their ability to navigate the fast-moving landscape.

“As a CISO, I always struggled to stay current with which vendors did what and could only have dreamed of a resource like this. I applaud Enso for rallying the community to provide it,” said Ryan Gurney, CISO-in-Residence, YL Ventures. “The AppSec Map is a simple yet powerful tool that makes it easy for practitioners to understand the current AppSec landscape and maintain control over the trajectory of their programs.”

**Enhanced AppSec Map functionality moves the industry forward**  
First launched in July 2021, the AppSec Map defines and classifies the many solutions and services that populate the AppSec landscape. The Map is open to all AppSec vendors. To add a product or a service please click here and once approved, Enso Security will publish it within 3-5 days.

It offers practitioners a holistic view of the AppSec stack and makes it easy for them to research the options available to them. The new iteration enables users to build a custom map and generate a security posture badge based on the code, tools and services their organization uses, offering AppSec practitioners a much deeper understanding of the state and maturity of their programs.

To create a personalized map, users follow a very simple wizard that prompts them to enter the full set of AppSec tools, code and services used by the organization. In a matter of seconds, the Map generates a visual representation of their organization’s AppSec program.

It also generates a Posture Badge -- a graphic that consists of a set of color coded, concentric circles that reflects the health of the user’s AppSec program. The Posture Badge considers the organization's full asset inventory and the effectiveness of the AppSec practices associated with activities on each asset and type of activity (such as Pen-Testing, Static Code Analysis, etc.). Posture Badges place the maps in context, providing a baseline that makes it easier for AppSec teams to identify gaps, analyze how resources are allocated and optimize their programs.

“We initially built the AppSec Map because, despite being seasoned practitioners, our experience navigating the AppSec landscape was pure chaos,” said Chen Gour Arie, chief architect and co-founder of Enso Security. “Given the growing set of buzzwords, acronyms and culture shifts AppSec professionals contend with, we’re excited to release new functionality that makes it even easier to separate the wheat from the chaff. We’re blown away by how well the Map has been received and hope we can continue to be of service to the community as they navigate the ever-shifting pool of AppSec resources at their disposal.”

The AppSec Map includes commercial services and solutions as well as open-source tools and projects for any AppSec-related activity, from security training to pen-testing to runtime detection and protection.

Because the Map is community driven, as services and toolsets mature and evolve, so does the Map. The AppSec community and vendors are encouraged to share their ideas and thoughts on how to improve this map, and to submit their solutions so that the community can easily discover the value it adds to their AppSec program. The AppSec Map can be found at https://appsecmap.com.

**About Enso Security**  
Enso Security is transforming application security by empowering organizations to build, manage and scale their AppSec programs. Its Application Security Posture Management (ASPM) platform easily deploys into an organization’s environment to create an actionable, unified inventory of all application assets, their owners, security posture and associated risk. With Enso Security, AppSec teams gain the capacity to manage the tools, people and processes involved in application security, enabling them to build a simplified, agile and scalable application security program without interfering with development. Enso has been recognized with numerous awards including the 2022 Excellence Awards, Globee Awards, and Forbes Top 20 Cybersecurity Startups to Watch.

Enso Security Leads Industry Mission to Bring Control to Chaos With Community-Driven AppSec Map

Cybersecurity researchers have taken the wraps off a previously undocumented spyware targeting the Apple macOS operating system.
The malware, codenamed CloudMensis by Slovak cybersecurity firm ESET, is said to exclusively use public cloud storage services such as pCloud, Yandex Disk, and Dropbox for receiving attacker commands and exfiltrating files.
"Its capabilities clearly show that the

Cybersecurity researchers have taken the wraps off a previously undocumented spyware targeting the Apple macOS operating system.

The malware, codenamed **CloudMensis** by Slovak cybersecurity firm ESET, is said to exclusively use public cloud storage services such as pCloud, Yandex Disk, and Dropbox for receiving attacker commands and exfiltrating files.

"Its capabilities clearly show that the intent of its operators is to gather information from the victims' Macs by exfiltrating documents, keystrokes, and screen captures," ESET researcher Marc-Etienne M.Léveillé said in a report published today.

CloudMensis, written in Objective-C, was first discovered in April 2022 and is designed to strike both Intel and Apple silicon architectures. The initial infection vector for the attacks and the targets remain unknown as yet. But its very limited distribution is an indication that the malware is being used as part of a highly targeted operation directed against entities of interest.

The attack chain spotted by ESET abuses code execution and administrative privileges to launch a first-stage payload that's utilized to fetch and execute a second-stage malware hosted on pCloud, which, in turn, exfiltrates documents, screenshots, and email attachments, among others.

The first-stage downloader is also known to erase traces of Safari sandbox escape and privilege escalation exploits that make use of four now-resolved security flaws in 2017, suggesting that CloudMensis may have flown under the radar for many years.

The implant also comes with features to bypass the Transparency, Consent, and Control (TCC) security framework, which aims to ensure that all apps obtain user consent before accessing files in Documents, Downloads, Desktop, iCloud Drive, and network volumes.

It achieves this by exploiting another patched security vulnerability tracked as CVE-2020-9934 that came to light in 2020. Other functions supported by the backdoor include getting the list of running processes, capturing screenshots, listing files from removable storage devices, and running shell commands and other arbitrary payloads.

On top of that, an analysis of metadata from the cloud storage infrastructure shows that the pCloud accounts were created on January 19, 2022, with the compromises commencing on February 4 and peaking in March.

"The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced," M.Léveillé said. "Nonetheless a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Experts Uncover New CloudMensis Spyware Targeting Apple macOS Users

Two client-side risks dominate the problems with data loss and data exfiltration: improperly placed trackers on websites and web applications and malicious client-side code pulled from third-party repositories like NPM. 
Client-side security researchers are finding that improperly placed trackers, while not intentionally malicious, are a growing problem and have clear and significant privacy

Two client-side risks dominate the problems with data loss and data exfiltration: improperly placed trackers on websites and web applications and malicious client-side code pulled from third-party repositories like NPM.

Client-side security researchers are finding that improperly placed trackers, while not intentionally malicious, are a growing problem and have clear and significant privacy implications when it comes to both compliance/regulatory concerns, like HIPAA or PCI DSS 4.0. To highlight the risks with misplaced trackers, a recent study by The Markup (a non-profit news organization) examined Newsweek's top 100 hospitals in America. They found a Facebook tracker on one-third of the hospital websites which sent Facebook highly personal healthcare data whenever the user clicked the "schedule appointment" button. The data was not necessarily anonymized, because the data was connected to an IP address, and both the IP address and the appointment information get delivered to Facebook.

Journalists and client-side security researchers aren't the only ones looking at data privacy issues. Last week, the FTC announced its plans to crack down on tech companies' improper or illegal use and sharing of highly sensitive data. The FTC indicated they also plan to target false claims about data anonymization. The government agency points out that sensitive health information combined with the shadowy data security practices used by technology companies is extremely problematic, with most customers having little or no knowledge of how their data is collected, what data is collected, how it is used, or how it is protected.

The security industry has repeatedly proven how easy it is to re-identify anonymized data by combining several datasets to create a clear picture of the end user's identity.

In addition to improperly placed web trackers, client-side security researchers are warning about the risks associated with JavaScript code pulled from third-party repositories, like NPM. Recent research found that package managers containing obfuscated and malicious JavaScript was being used to harvest sensitive information from websites and web applications. Using sources like NPM, malicious threat actors target organizations via a JavaScript software supply chain attack using rogue components to exfiltrate data entered into forms by users on websites that include this malicious code.

Client-side security researchers advise several approaches for identifying and mitigating these two primary risks. Client-side attack surface monitoring is the most comprehensive and fully protects end users and businesses from the risk of data theft due to Magecart, e-skimming, cross-site scripting, and JavaScript injection attacks. Other tools, like web application firewalls (WAFs), protect some aspects of the client-side attack surface but fail to protect activities happening on dynamic web pages. Content security policies (CSPs) are another good client-side security tool, but CSPs are cumbersome. Manual code reviews to identify problems with CSPs can mean long hours (or days) scouring through thousands of lines of web application script.

Security professionals can also explore client-side attack surface mapping solutions that incorporate threat intelligence, access insights (which assets are accessing what data), and privacy (is any of the data being shared to external sources inappropriately).

Client-side attack surface monitoring solutions are a relatively new cybersecurity technology that automatically discovers all of a company's web assets and reports on their data access. These solutions use headless browsers to navigate through all the JavaScript contained on the website and web application pages. They gather real-time information about how the scanned website works from the end user's perspective.

A key technological component in client-side attack surface monitoring solutions are synthetic users, deployed during threat detection crawls to interact the way a real human would on dynamic web pages. These synthetic users can complete a variety of activities, including clicking active links, submitting forms, solving Captchas, and entering financial information. Synthetic user interaction is logged and monitored, followed by behavioral analyses and logic injection into each page to gather the information that is difficult to collect manually, including form data, the data third-party scripts have access to, trackers that are deployed and their activities, and any forms or third-party scripts transferring data across national boundaries.

Solutions should also be able to operationalize any issues discovered in the identification or client-side mapping process through the use of allowlists and blocklists and through post-scan informational analyses to obtain synthesized intelligence to secure web applications from harm.

Security professionals with expertise on the client side are strongly advising organizations in industries such as financial services, media/entertainment, e-commerce, healthcare, and technology/SaaS that have multiple front-end web applications to understand client-side security and how client-side risks may impact their business.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Security Experts Warn of Two Primary Client-Side Risks Associated with Data Exfiltration and Loss

A new method devised to leak information and jump over air-gaps takes advantage of Serial Advanced Technology Attachment (SATA) or Serial ATA cables as a communication medium, adding to a long list of electromagnetic, magnetic, electric, optical, and acoustic methods already demonstrated to plunder data.
"Although air-gap computers have no wireless connectivity, we show that attackers can use

A new method devised to leak information and jump over air-gaps takes advantage of Serial Advanced Technology Attachment (SATA) or Serial ATA cables as a communication medium, adding to a long list of electromagnetic, magnetic, electric, optical, and acoustic methods already demonstrated to plunder data.

"Although air-gap computers have no wireless connectivity, we show that attackers can use the SATA cable as a wireless antenna to transfer radio signals at the 6GHz frequency band," Dr. Mordechai Guri, the head of R&D in the Cyber Security Research Center in the Ben Gurion University of the Negev in Israel, wrote in a paper published last week.

The technique, dubbed **SATAn**, takes advantage of the prevalence of the computer bus interface, making it "highly available to attackers in a wide range of computer systems and IT environments."

Put simply, the goal is to use the SATA cable as a covert channel to emanate electromagnetic signals and transfer a brief amount of sensitive information from highly secured, air-gapped computers wirelessly to a nearby receiver more than 1m away.

An air-gapped network is one that's physically isolated from any other networks in order to increase its security. Air-gapping is seen as an essential mechanism to safeguard high-value systems that are of huge interest to espionage-motivated threat actors.

That said, attacks targeting critical mission-control systems have grown in number and sophistication in recent years, as observed recently in the case of Industroyer 2 and PIPEDREAM (aka INCONTROLLER).

Dr. Guri is no stranger to coming up with novel techniques to extract sensitive data from offline networks, with the researcher concocting four different approaches since the start of 2020 that leverage various side-channels to surreptitiously siphon information.

These include BRIGHTNESS (LCD screen brightness), POWER-SUPPLaY (power supply unit), AIR-FI (Wi-Fi signals), and LANtenna (Ethernet cables). The latest approach is no different, wherein it takes advantage of the Serial ATA cable to achieve the same goals.

Serial ATA is a bus interface and an Integrated Drive Electronics (IDE) standard that's used to transfer data at higher rates to mass storage devices. One of its chief uses is to connect hard disk drives (HDD), solid-state drives (SSD), and optical drives (CD/DVD) to the computer's motherboard.

Unlike breaching a traditional network by means of spear-phishing or watering holes, compromising an air-gapped network requires more complex strategies such as a supply chain attack, using removable media (e.g., USBStealer and USBFerry), or rogue insiders to plant malware.

For an adversary whose aim is to steal confidential information, financial data, and intellectual property, the initial penetration is only the start of the attack chain that's followed by reconnaissance, data gathering, and data exfiltration through workstations that contain active SATA interfaces.

In the final data reception phase, the transmitted data is captured through a hidden receiver or relies on a malicious insider in an organization to carry a radio receiver near the air-gapped system. "The receiver monitors the 6GHz spectrum for a potential transmission, demodulates the data, decodes it, and sends it to the attacker," Dr. Guri explained.

As countermeasures, it's recommended to take steps to prevent the threat actor from gaining an initial foothold, use an external Radio frequency (RF) monitoring system to detect anomalies in the 6GHz frequency band from the air-gapped system, or alternatively polluting the transmission with random read and write operations when a suspicious covert channel activity is detected.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Air-Gap Attack Uses SATA Cable as an Antenna to Transfer Radio Signals

Linus Torvalds says Retbleed has been addressed in the Linux kernel, but code complexity means the release will be delayed by a week to give more time for testing.

Linux kernel developers have successfully addressed Retbleed, the latest Spectre-like speculative execution attack against older AMD and Intel processors, Linus Torvalds wrote in a message to the Linux Kernel Mailing List on Sunday. However, the difficult repair process means there will be a delay of the release for Linux version 5.19 by a week.

"I think we've got the retbleed fallout all handled (knock wood)," Torvalds wrote.

The complexity of the fix wasn't the only reason for the release; there were two other development trees that independently asked for an extension. The other trees that needed the extension involve the btrfs filesystems and firmware for Intel GPU controllers.

"When we've had one of those embargoed \[hardware\] issues pending, the patches didn't get the open development, and then as a result missed all the usual sanity checking by all the automation build and test infrastructure we have," Torvalds explained. "So, 5.19 will be one of those releases that have an additional rc8 next weekend before the final release."

Last week, researchers at ETH Zurich announced the discovery of Retbleed, an addition to the family of speculative execution attacks that began with Meltdown and Spectre. The researchers named the family of these vulnerabilities Spectre-BTI after the attack method: via a branch target injection.

Unlike its siblings, Retbleed does not proceed via indirect jumps or calls, but instead uses return instructions. This is significant because it undermines some of the current Spectre-BTI protections, the researchers wrote.

In response, Intel and AMD issued advisories describing mitigations for CVE-2022-29901 (Intel CPUs) and CVE-2022-2990 (AMD CPUs).

**Speculative Execution Exploits Here to Stay**

The discovery follows Hertzbleed, discovered in June, which exploited a side-channel flaw in Intel and AMD processors, allowing remote attackers with low privileges to infer sensitive information by observing power-throttling changes in the CPU.

The attacks leverage weaknesses in the speculative execution process, a performance optimization technique in modern CPUs.

Other major speculative execution vulnerability exploits uncovered in recent years include Meltdown, Spectre, and SWAPGS.

A team of Google researchers published a deep analysis of the issue back in 2019, positing that chip makers' focus on performance has left microprocessors open to numerous side-channel attacks that cannot be fixed by software updates.

Some experts believe exploits like Spectre and Meltdown will force customers to make tradeoffs between performance and security of applications. They predict these types of threats will become much more dangerous in cloud and virtual environments.

A 2019 survey from Login VSI found patches negatively impacted performance for a fifth of those who applied them, with at times substantial performance reductions.

Tag

#intel